Tuesday, August 7, 2012

Last week former Gizmodo writer Mat Honan found his iCloud account compromised which the hackers used to reset his Gmail password. They then gained control of his Twitter account and used it to broadcast racist and homophobic messages. The hackers also remotely erased all of the data on his iPhone, iPad, and MacBook from his Apple account. “In the space of one hour, my entire digital life was destroyed”, says Mat Honan.

Like most people Honan had his accounts daisy-chained together. Getting into one account allowed the hackers to get into the others. “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc.”

The email account is the most important of all accounts. When you lose control of your email you lose your online identity. But the consequences are usually deeper and often affect your life outside of the Internet. The hackers have access to every sensitive information that is important to you – your credit card numbers, bank account information, your social account, medical info and more.

It’s been a while Google added two-factor authentication ability to Google accounts but not many people are using it because they think it’s a big inconvenience. Sure, it’s a hassle to setup but the enhanced security you get, and not to mention the peace of mind, is worth it. Besides, once you’ve authorized all your devices using two-factor authentication you don’t have to enter the PIN every time you login. Only when you try to login using another machine that the SMS-PIN code becomes necessary.

Matt Cutts, in his recent blog post, answers some of the frequently asked questions and clears doubts people have regarding two-factor authentication.

Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country? Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.

Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen? Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in? Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP? Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: Okay, but what if I want to verify how secure Google Authenticator is? Reality: Google Authenticator is free, open-source, and based on open standards.

Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it? Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, Amazon Web Services, Drupal, and DreamHost, or even use a YubiKey device.